The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes external targets (passed via $ARGUMENTS) which could include source code, configuration files, or infrastructure definitions. These inputs might contain malicious instructions designed to subvert the sub-agents' behavior during analysis or remediation.
Ingestion points: The target specified in $ARGUMENTS is the primary input for all 13 sub-skills, including scanning, architecture review, and code fixing.
Boundary markers: No specific delimiters (like triple backticks or XML tags) or 'ignore embedded instructions' warnings are used when passing untrusted target data to the sub-agents.
Capability inventory: The workflow utilizes high-capability sub-agents, including 'security-auditor' (capable of running exploits), 'backend-security-coder' (capable of modifying application code), and 'deployment-engineer' (capable of modifying infrastructure and secrets management).
Sanitization: There are no specified sanitization or validation steps to neutralize instructions within the target data before it is processed by the agents.
[COMMAND_EXECUTION]: The skill explicitly directs sub-agents to execute a wide array of powerful security and penetration testing tools, including Semgrep, SonarQube, OWASP ZAP, Snyk, Trivy, GitLeaks, TruffleHog, Burp Suite, and Metasploit. It also instructs the use of 'custom exploits' and directs agents to 'apply security patches' directly to the codebase. While these tools are used for their intended security purposes, the breadth of command execution and code modification capabilities necessitates strict authorization and environment isolation.

security-scanning-security-hardening